If I Chmod a directory a to 777. What exactly does Everyone mean? Anyone who connects with FTP without using the password or something else?

I have a Wordpress CMS and I'm trying to install a plugin, however it has decided it can't download the plugin to a temp directory, so I'm guessing I need to chmod something, doesn't say what. But I don't want to chmod to 777 and give anyone access to the server?

It's not going to magically give random people FTP access if you don't have an FTP server installed, but if you DO have an FTP server that allows anonymous logins and the server is not set up to restrict them, then yes, anonymous FTP users would have full access to that directory.
–
DerfKJan 20 '11 at 23:50

4

I personally refuse to allow Wordpress write access to the plugin directory. Maybe I am overly paranoid, but I prefer to manually download and install them.
–
ZoredacheJan 21 '11 at 0:19

5 Answers
5

As Christopher Evans said, chown the plugin and temp directories to the user (or group) the web server is running as and set appropriate permissions. If you don't have access to chown the directories you're pretty much stuck with setting the mode to 777 (world-writable).

Evertything else is the abbreviated Unix permissions lecture - you can get the same thing from man chmod with lots more detail.

The three fields for unix permissions are owner, group and other.

Each field is a bitmask, with the values being 1 (execute (& list contents of a directory)), 2 (Write) and 4 (Read)

The permissions on a file are determined by those values -

777 grants Owner, Group and "Other" (people who are neither the owner nor in the group) full access to read, write/modify and execute/list contents of the file/directory in question.

007 grants that level of access only to "Other" people -- The owner would have no access

770 grants the user and group full access, but denies it to everyone elseThis is probably what you want to do - leave yourself as owner and chown the directory to the webserver's group.

Sorry if I ask you here this, but if a person wants to checkout the directories, what does it mean? checkout does not necessarily mean to write or execute, right? I could simply give, for example, the permissions to read, and the people could checkout anyway, right?
–
RinzlerOct 10 '14 at 15:39

The downside being that if there is any buggy application running on the web server, then that application can now be used to write to a script to the plugins directory which will get executed.
–
ZoredacheJan 21 '11 at 0:20

1

Correct. To bypass this possibility, either install the plugin via a shell manually, or give permissions temporarily, install the plugin, then remove the permissions.
–
becomingwisestJan 21 '11 at 0:43

Think of it as three separate numbers, and from left to right it stipulates that access that the user, group and anyone else has. By everyone it means anyone who is logged into your server (via FTP, SSH or anything else).

If you give everyone 7 permissions (which means read, write AND execute), they can do any of those things. In terms of a directory, they need execute to open the directory so the only really issue is the w, which means they can create a new file inside the directory or rename it. If your webserver can create .php files inside the DocumentRoot, this is very bad in the instance that your website somehow allows this (not as unusual as you'd think).

Wordpress is trying to write to a directory so it really only needs access as the user it's being run as. Annoyingly I think that Wordpress checks the user of a directory rather than its ability to write to it, so this might be your problem. Alternatively, create a php file inside the website with <?php phpinfo(); ?> inside it. Browse to this page and double check that PHP safemode isn't turned on (another common issue with PHP's writing). Also, check the error log for that website as it will contain a lot of useful information.

In your specific case, chmod'ing the directory to 777 will mean that anyone who can access the directory will have full access to everything. It may be simplest to grant 777 access to the target directory, do your upload, then immediately lock the directory down. You do NOT want to leave your system that way.

I would personally try to understand what UID is involved with the failed transaction and see if granting different ownership or group access would work better, depending both on what I immediately wanted to do and what I might want to do in the future.

--

(*) = using this mechanism. Things get more complicated with ACLs and extended attributes, but that's beyond this question's scope